cfn-nag 0.3.73 → 0.3.74

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1f92b4e5025b097a9c43fb1bedd691f61611e8902109f2e6ac1500819ce7a966
-  data.tar.gz: 5fc445b20109d8b843a1946adf29941f235fff67bc8bd8a5e3bcbdfc2c158ce5
+  metadata.gz: df7c2cd400873808f2c86c468bf2b8fe254b4f818629ca85cae8d4249e61e91b
+  data.tar.gz: b07f2ab8db5b52656283fb72ed7660abb8d9461323230fca262434e0d9e1f8b6
 SHA512:
-  metadata.gz: e184524a035bf8be537b23e52f8718969aa7342e9834fff65931928d5e8f107b9fc6b42bab97a2c451c0d1f502d4d78b9c830a73543bb3dd58c4d6cc6e99fcd8
-  data.tar.gz: 8c0729ab854708080bef5a2bcc71292c1a51787cd0856877481f1d929c2efe7d4574875bc077a69c237ab22038e11cf3fdef239c187c9a7fb9c35a95447f33e0
+  metadata.gz: ad73aa5062aee010cf3a3ebdee335ec54e7e13f1dd366f003d7c9b613c0c91868f65508c8e6e68d883fa2dba5954c08576c1365840612b99214dda3f81655940
+  data.tar.gz: 5c72467fe9904e35a3871186b1217890c8662010795d47d950e2980674ce53e7967f4d94b63b515067df7bba7e3f7b4c7b18f909a8ef9afa6ecc99f94423ddf0

data/bin/cfn_nag

@@ -42,6 +42,11 @@ opts = Trollop.options do
       type: :io,
       required: false,
       default: nil
+  opt :blacklist_path,
+      'Path to a blacklist file',
+      type: :io,
+      required: false,
+      default: nil
   opt :parameter_values_path,
       'Path to a JSON file to pull Parameter values from',
       type: :io,
@@ -55,13 +60,18 @@ opts = Trollop.options do
 end
 # rubocop:enable Metrics/BlockLength
 
-CfnNag.configure_logging(opts)
+CfnNagLogging.configure_logging(opts)
 
 profile_definition = nil
 unless opts[:profile_path].nil?
   profile_definition = IO.read(opts[:profile_path])
 end
 
+blacklist_definition = nil
+unless opts[:blacklist_path].nil?
+  blacklist_definition = IO.read(opts[:blacklist_path])
+end
+
 parameter_values_string = nil
 unless opts[:parameter_values_path].nil?
   parameter_values_string = IO.read(opts[:parameter_values_path])
@@ -69,6 +79,7 @@ end
 
 cfn_nag = CfnNag.new(
   profile_definition: profile_definition,
+  blacklist_definition: blacklist_definition,
   rule_directory: opts[:rule_directory],
   allow_suppression: opts[:allow_suppression],
   print_suppression: opts[:print_suppression],

data/bin/cfn_nag_scan

@@ -46,6 +46,11 @@ opts = Trollop.options do
       type: :io,
       required: false,
       default: nil
+  opt :blacklist_path,
+      'Path to a blacklist file',
+      type: :io,
+      required: false,
+      default: nil
   opt :parameter_values_path,
       'Path to a JSON file to pull Parameter values from',
       type: :io,
@@ -79,15 +84,21 @@ unless %w[txt json].include?(opts[:output_format])
               'Must be txt or json')
 end
 
-CfnNag.configure_logging(opts)
+CfnNagLogging.configure_logging(opts)
 
 profile_definition = nil
 unless opts[:profile_path].nil?
   profile_definition = IO.read(opts[:profile_path])
 end
 
+blacklist_definition = nil
+unless opts[:blacklist_path].nil?
+  blacklist_definition = IO.read(opts[:blacklist_path])
+end
+
 cfn_nag = CfnNag.new(
   profile_definition: profile_definition,
+  blacklist_definition: blacklist_definition,
   rule_directory: opts[:rule_directory],
   allow_suppression: opts[:allow_suppression],
   print_suppression: opts[:print_suppression],

data/lib/cfn-nag.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 
 require 'cfn-nag/cfn_nag'
+require 'cfn-nag/cfn_nag_logging'
 require 'cfn-nag/violation'
 require 'cfn-nag/rule_dumper'

data/lib/cfn-nag/blacklist_loader.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+class BlackListLoader
+  def initialize(rules_registry)
+    @rules_registry = rules_registry
+  end
+
+  def load(blacklist_definition:)
+    raise 'Empty profile' if blacklist_definition.strip == ''
+
+    blacklist_ruleset = RuleIdSet.new
+
+    blacklist_hash = load_blacklist_yaml(blacklist_definition)
+    raise 'Blacklist is malformed' unless blacklist_hash.is_a? Hash
+
+    rules_to_suppress = blacklist_hash.fetch('RulesToSuppress', {})
+    raise 'Missing RulesToSuppress key in black list' if rules_to_suppress.empty?
+
+    rule_ids_to_suppress = rules_to_suppress.map { |rule| rule['id'] }
+    rule_ids_to_suppress.each do |rule_id|
+      check_valid_rule_id rule_id
+      blacklist_ruleset.add_rule rule_id
+    end
+
+    blacklist_ruleset
+  end
+
+  private
+
+  def load_blacklist_yaml(blacklist_definition)
+    YAML.safe_load(blacklist_definition)
+  rescue StandardError => yaml_parse_error
+    raise "YAML parse of blacklist failed: #{yaml_parse_error}"
+  end
+
+  def check_valid_rule_id(rule_id)
+    return true unless @rules_registry.by_id(rule_id).nil?
+
+    raise "#{rule_id} is not a legal rule identifier from: #{rules_ids}"
+  end
+end

data/lib/cfn-nag/cfn_nag.rb

@@ -2,28 +2,34 @@
 
 require_relative 'custom_rule_loader'
 require_relative 'rule_registry'
-require_relative 'profile_loader'
+require_relative 'violation_filtering'
 require_relative 'template_discovery'
 require_relative 'result_view/simple_stdout_results'
 require_relative 'result_view/json_results'
 require 'cfn-model'
-require 'logging'
 
 # Top-level CfnNag class for running profiles
 class CfnNag
+  include ViolationFiltering
+
+  # rubocop:disable Metrics/ParameterLists
   def initialize(profile_definition: nil,
+                 blacklist_definition: nil,
                  rule_directory: nil,
                  allow_suppression: true,
                  print_suppression: false,
                  isolate_custom_rule_exceptions: false)
     @rule_directory = rule_directory
     @custom_rule_loader = CustomRuleLoader.new(
-      rule_directory: rule_directory, allow_suppression: allow_suppression,
+      rule_directory: rule_directory,
+      allow_suppression: allow_suppression,
       print_suppression: print_suppression,
       isolate_custom_rule_exceptions: isolate_custom_rule_exceptions
     )
     @profile_definition = profile_definition
+    @blacklist_definition = blacklist_definition
   end
+  # rubocop:enable Metrics/ParameterLists
 
   ##
   # Given a file or directory path, emit aggregate results to stdout
@@ -81,7 +87,8 @@ class CfnNag
       cfn_model = CfnParser.new.parse cloudformation_string,
                                       parameter_values_string
       violations += @custom_rule_loader.execute_custom_rules(cfn_model)
-      violations = filter_violations_by_profile violations
+
+      violations = filter_violations_by_blacklist_and_profile(violations)
     rescue Psych::SyntaxError, ParserError => parser_error
       violations << fatal_violation(parser_error.to_s)
     rescue JSON::ParserError => json_parameters_error
@@ -92,18 +99,26 @@ class CfnNag
     audit_result(violations)
   end
 
-  def self.configure_logging(opts)
-    logger = Logging.logger['log']
-    logger.level = if opts[:debug]
-                     :debug
-                   else
-                     :info
-                   end
+  private
 
-    logger.add_appenders Logging.appenders.stdout
-  end
+  def filter_violations_by_blacklist_and_profile(violations)
+    violations = filter_violations_by_profile(
+      profile_definition: @profile_definition,
+      rule_definitions: @custom_rule_loader.rule_definitions,
+      violations: violations
+    )
 
-  private
+    # this must come after - blacklist should always win
+    violations = filter_violations_by_blacklist(
+      blacklist_definition: @blacklist_definition,
+      rule_definitions: @custom_rule_loader.rule_definitions,
+      violations: violations
+    )
+    violations
+  rescue StandardError => blacklist_or_profile_parse_error
+    violations << fatal_violation(blacklist_or_profile_parse_error.to_s)
+    violations
+  end
 
   def audit_result(violations)
     {
@@ -118,18 +133,6 @@ class CfnNag
                   message: message)
   end
 
-  def filter_violations_by_profile(violations)
-    profile = nil
-    unless @profile_definition.nil?
-      profile = ProfileLoader.new(@custom_rule_loader.rule_definitions)
-                             .load(profile_definition: @profile_definition)
-    end
-
-    violations.reject do |violation|
-      !profile.nil? && !profile.execute_rule?(violation.id)
-    end
-  end
-
   def render_results(aggregate_results:,
                      output_format:)
     results_renderer(output_format).new.render(aggregate_results)

data/lib/cfn-nag/cfn_nag_logging.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+require 'logging'
+
+class CfnNagLogging
+  def self.configure_logging(opts)
+    logger = Logging.logger['log']
+    logger.level = opts[:debug] ? :debug : :info
+    logger.add_appenders Logging.appenders.stdout
+  end
+end

data/lib/cfn-nag/profile_loader.rb

@@ -1,8 +1,7 @@
 # frozen_string_literal: true
 
-require_relative 'profile'
+require_relative 'rule_id_set'
 
-# Load rule profile
 class ProfileLoader
   def initialize(rules_registry)
     @rules_registry = rules_registry
@@ -15,7 +14,7 @@ class ProfileLoader
     profile_definition ||= ''
     raise 'Empty profile' if profile_definition.strip == ''
 
-    new_profile = Profile.new
+    new_profile = RuleIdSet.new
 
     profile_definition.each_line do |line|
       next unless (rule_id = rule_line_match(line))

data/lib/cfn-nag/result_view/rules_view.rb

@@ -16,7 +16,7 @@ class RulesView
     warnings.sort { |left, right| sort_id(left, right) }.each do |warning|
       if profile.nil?
         puts "#{warning.id} #{warning.message}"
-      elsif profile.execute_rule?(warning.id)
+      elsif profile.contains_rule?(warning.id)
         puts "#{warning.id} #{warning.message}"
       end
     end
@@ -26,7 +26,7 @@ class RulesView
     failings.sort { |left, right| sort_id(left, right) }.each do |failing|
       if profile.nil?
         puts "#{failing.id} #{failing.message}"
-      elsif profile.execute_rule?(failing.id)
+      elsif profile.contains_rule?(failing.id)
         puts "#{failing.id} #{failing.message}"
       end
     end

data/lib/cfn-nag/{profile.rb → rule_id_set.rb}

@@ -3,7 +3,7 @@
 require 'set'
 
 # Container class for profiles
-class Profile
+class RuleIdSet
   attr_reader :rule_ids
 
   def initialize
@@ -16,7 +16,7 @@ class Profile
   end
 
   # Does the list of rule ids contain rule_id?
-  def execute_rule?(rule_id)
+  def contains_rule?(rule_id)
     @rule_ids.include? rule_id
   end
 end

data/lib/cfn-nag/violation_filtering.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/profile_loader'
+require 'cfn-nag/blacklist_loader'
+
+module ViolationFiltering
+  def filter_violations_by_profile(profile_definition:, rule_definitions:, violations:)
+    profile = nil
+    unless profile_definition.nil?
+      begin
+        profile = ProfileLoader.new(rule_definitions)
+                               .load(profile_definition: profile_definition)
+      rescue StandardError => profile_load_error
+        raise "Profile loading error: #{profile_load_error}"
+      end
+    end
+
+    violations.reject do |violation|
+      !profile.nil? && !profile.contains_rule?(violation.id)
+    end
+  end
+
+  def filter_violations_by_blacklist(blacklist_definition:, rule_definitions:, violations:)
+    blacklist = nil
+    unless blacklist_definition.nil?
+      begin
+        blacklist = BlackListLoader.new(rule_definitions)
+                                   .load(blacklist_definition: blacklist_definition)
+      rescue StandardError => blacklist_load_error
+        raise "Blacklist loading error: #{blacklist_load_error}"
+      end
+    end
+
+    violations.reject do |violation|
+      !blacklist.nil? && blacklist.contains_rule?(violation.id)
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-nag
 version: !ruby/object:Gem::Version
-  version: 0.3.73
+  version: 0.3.74
 platform: ruby
 authors:
 - Eric Kascic
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-18 00:00:00.000000000 Z
+date: 2019-04-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -135,7 +135,9 @@ files:
 - bin/cfn_nag_rules
 - bin/cfn_nag_scan
 - lib/cfn-nag.rb
+- lib/cfn-nag/blacklist_loader.rb
 - lib/cfn-nag/cfn_nag.rb
+- lib/cfn-nag/cfn_nag_logging.rb
 - lib/cfn-nag/custom_rule_loader.rb
 - lib/cfn-nag/custom_rules/CloudFormationAuthenticationRule.rb
 - lib/cfn-nag/custom_rules/CloudFrontDistributionAccessLoggingRule.rb
@@ -196,16 +198,17 @@ files:
 - lib/cfn-nag/ip_addr.rb
 - lib/cfn-nag/jmes_path_discovery.rb
 - lib/cfn-nag/jmes_path_evaluator.rb
-- lib/cfn-nag/profile.rb
 - lib/cfn-nag/profile_loader.rb
 - lib/cfn-nag/result_view/json_results.rb
 - lib/cfn-nag/result_view/rules_view.rb
 - lib/cfn-nag/result_view/simple_stdout_results.rb
 - lib/cfn-nag/rule_definition.rb
 - lib/cfn-nag/rule_dumper.rb
+- lib/cfn-nag/rule_id_set.rb
 - lib/cfn-nag/rule_registry.rb
 - lib/cfn-nag/template_discovery.rb
 - lib/cfn-nag/violation.rb
+- lib/cfn-nag/violation_filtering.rb
 homepage: https://github.com/stelligent/cfn_nag
 licenses:
 - MIT